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We Claim: 

1 . A gateway for mobile access, comprising: 

a foreign agent that receives user profile data and session state data from a home 
authentication, authorization and accounting (AAA) system of a mobile node; 
5 at least one dynamic packet filter that performs multi-layer filtering based on the user 

profile data; 

wherein the foreign agent transfers a session from a first network to a second network 
without session interruption, using the session state data, when the mobile node moves from 
the first network to the second network, and 
10 the foreign agent uses the dynamic packet filter to permit Internet access by the 

mobile node without passing Internet data requested by the mobile node through a network in 
which the home AAA system is located. 

2 The gateway of claim 1 , further comprising a MAC-address-based filter which blocks 
packets except for authentication packets that are used to authenticate mobile nodes. 

15 3 . The gateway of claim 1 , wherein the dynamic packet filter performs network layer 
filtering and one of the group consisting of transport layer filtering and application layer 
filtering. 

4. The gateway of claim 1 , further comprising a non- volatile storage device in which the 
user profile data are stored. 

20 5 . The gateway of claim 1 , wherein the non- volatile storage device has a database that 
stores state information for each active user session. 

6. The gateway of claim 1, wherein the gateway is coupled to at least one access point, 
and the gateway transmits from a AAA server in the gateway to the access point an 
identification of whether a mobile node in communication with the access point is 

25 successfully authenticated by the AAA server. 

7. The gateway of claim 1 , wherein the gateway exchanges AAA data with the home 
AAA system of the mobile node by way of the Internet, and the gateway provides Internet 
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access to the mobile node without passing Internet data requested by the mobile node through 
the network of the home AAA system. 

8. The gateway of claim 7, wherein the gateway relays remote authentication dial-in user 
service packets to the home AAA server. 

5 9. The gateway of claim 1, wherein the gateway has a foreign agent that communicates 
with the home AAA system of the mobile node, and the foreign agent is capable of operating 
in a relay mode, in which the foreign agent forwards packets to the home AAA of the mobile 
IP node for authentication, or in a standalone mode, in which authentication computations for 
the simple IP mobile node are performed in the gateway. 

10 10. The gateway of claim 1 , the user profile data include per-user policies dynamically 
obtained from the home AAA server of the mobile node and the gateway further the dynamic 
packet filter is included in a firewall that uses packet filtering rules that depend on the per- 
user policies. 

1 1 . The gateway of claim 10, wherein the firewall includes rules that check a media 
15 access control address associated with each received packet. 

12. The gateway of claim 1, further comprising an 802.1 1 access point contained within 
or attached to a housing of the gateway. 

13. The gateway of claim 1, further comprising a wireless modem contained within or 
attached to a housing of the gateway. 

20 14. The gateway of claim 1 , further comprising: 

an 802.1 1 access point contained within or attached to a housing of the gateway; and 
a wireless modem contained within or attached to a housing of the gateway. 

15. A gateway for mobile access, comprising: 

a foreign agent that receives user profile data from a home authentication, 
25 authorization and accounting (AAA) system of a client, when the client establishes a session 
with the gateway; 
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a dynamic packet filter that performs multi-layer filtering based on the user profile 

data; 

an access point contained within or attached to a housing of the gateway, for 
communication between the gateway and the client; and 
5 a wireless modem contained within or attached to a housing of the gateway, wherein 

the gateway is mobile, and the modem permits wireless communication between the gateway 
and a wireless network. 

16. The gateway of claim 15, wherein the gateway provides Internet access to the client 
without passing Internet data requested by the client through a network containing the home 

1 0 AAA system of the client. 

17. The gateway of claim 15, wherein the foreign agent is capable of obtaining a new IP 
address when the gateway moves from a first network to a second network. 

18. The gateway of claim 16, wherein , the foreign agent is capable of advertising the new 
IP address to the client. 

15 19. The gateway of claim 1 5 , wherein the dynamic packet filter performs network layer 
filtering and one of the group consisting of transport layer filtering and application layer 
filtering. 

20. The gateway of claim 15, further comprising a non-volatile storage device that stores 
the session state data, and means for transmitting the stored session state data to the client if 

20 the client loses a connection with the gateway and resumes the connection with the gateway. 

21. A gateway for mobile communications, comprising: 
a router connectable to a network; 

means for interrogating a authentication, authorization and accounting (AAA) server 
with which a mobile node is associated, to determine to which network resources the gateway 
25 permits the mobile node access, and to determine a set of one or more user-specific firewall 
policies associated with the mobile node; 

a firewall capable of implementing the set of user-specific firewall policies associated 
with the mobile node. 
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22. The gateway of claim 2 1 , wherein: 

the interrogating means obtains AAA data associated with the mobile node from the 
home AAA server each time the mobile node begins operating in the proximity of the 
gateway, and 

5 the firewall dynamically updates the user-specific firewall policies each time the 

AAA data for the mobile node are obtained. 

23 . The gateway of claim 2 1 , wherein the home AAA server of the mobile node is a 3G 
AAA server. 

24. The gateway of claim 21, wherein the gateway has a port for directly or indirectly 
1 0 connecting an 802. 1 1 access point. 

25. A method for controlling mobile access, comprising the steps of: 
obtaining user profile data of a mobile IP node from a home authentication, 

authorization and accounting (AAA) server of the mobile IP node, to determine whether the 
mobile IP node is registered to access a network by way of a gateway; 
1 5 performing multi-layer filtering based on the user profile data; 

transferring a session from a first network to a second network in which the mobile IP 
node is located without session interruption, when the mobile node moves to the second 
network; and 

providing Internet access to the mobile IP node without passing Internet data 
20 requested by the mobile IP node through the a network in which the home AAA server is 
located. 

26. The method of claim 25, further comprising using packet filtering rules that depend 
on per-user policies dynamically obtained from the home AAA server of the mobile node. 

27. The method of claim 25, further comprising connecting the gateway to the Internet 
25 by a path other than by way of a third generation core network. 

28. A method for mobile communications, comprising the steps of: 

interrogating a authentication, authorization and accounting (AAA) server of a mobile 
node, to determine to which network resources the gateway permits the mobile node access, 
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and to determine a set of one or more user-specific firewall policies associated with the 
mobile node, the interrogating being performed each time the mobile node begins operating 

in the proximity of a gateway; 

implementing the set of user-specific firewall policies associated with the mobile 

node in the gateway; and 

dynamically updating the user-specific firewall policies each time the AAA server for 

the mobile node is interrogated. 

29. A computer readable medium encoded with computer program code, wherein, when 
the code is executed by a processor, the processor performs a method for controlling mobile 
access, comprising the steps of: 

filtering incoming packets based on a media access control address of each packet; 

obtaining user profile data of a mobile IP node from a home authentication, 
authorization and accounting (AAA) server of a mobile IP node, to determine whether the 
mobile IP node is registered to access a network by way of a gateway; 

performing multi-layer filtering based on the user profile data; 

transferring a session from a first network to a second network in which the mobile IP 
node is located without session interruptionwhen the mobile node moves to the second 
network; and 

providing Internet access to the mobile IP node without passing Internet data 
requested by the mobile IP node through a network in which the home AAA server is located. 

30. A computer readable medium encoded with computer program code, wherein, when 
the code is executed by a processor, the processor performs a method for mobile 
communications, comprising the steps of: 

interrogating a home authentication, authorization and accounting (AAA) server of a 
mobile node, to determine to which network resources the gateway permits the mobile node 
access, and to determine a set of one or more user-specific firewall policies associated with 
the mobile node, the interrogating being performed each time the mobile node begins 
operating in the proximity of a gateway; 

implementing the set of user-specific firewall policies associated with the mobile 

node in the gateway; and 

dynamically updating the user-specific firewall policies each time the AAA server for 

the mobile node is interrogated. 
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